A.3 Pre-Boot Authentication

ZENworks Pre-Boot Authentication (PBA) provides increased authentication security for devices.

The ZENworks PBA is a Linux-based component. When the Disk Encryption policy is applied to a device with a standard hard disk, a 100 MB partition containing a Linux kernel and the ZENworks PBA is created on the hard disk. When the policy is applied to a device with a self-encrypting hard disk, the Linux kernal and ZENworks PBA are installed to the disk’s dCard.

During normal operation, the device boots to the Linux partition and loads the ZENworks PBA. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.

The Linux partition is hardened to increase security, and the ZENworks PBA is protected from alteration through the use of MD5 checksums and uses strong encryption for authentication keys.

A.3.1 ZENworks Pre-Boot Authentication

During creation of the policy, ZENworks Pre-Boot Authentication was either enabled or disabled. You cannot change this setting for the policy.

If ZENworks Pre-Boot Authentication is disabled, none of the remaining settings on the page apply and are therefore disabled.

A.3.2 Authentication Methods

These settings let you configure the methods that can be used for authenticating to a device’s encrypted disks. If you have enabled ZENworks Pre-Boot Authentication, you must select at least one of the methods.

  • Enable user ID/password authentication: Select this option to enable users to authenticate via a user ID and password. If you select this option, you must configure the settings in the User ID/Password Authentication Settings section.

  • Enable smart card authentication: Select this option to enable users to authenticate via a smart card. If you select this option, you must configure the settings in the Smart Card Authentication Settings section.

  • Default Authentication Method: If you enable both the user ID/password and smart card authentication methods, you must select the default method. Both methods are available to a user during pre-boot authentication, but the default method is presented if the user does not select a method within the allotted time.

  • Activate Single Sign-On for ZENworks PBA and Windows Login: Select this option to activate single sign-on for the PBA and Windows login. The user logs in to the PBA and the PBA handles the login to the Windows operating system. Single sign-on applies to both authentication methods (user ID/password or smart card).

A.3.3 User ID/Password Authentication Settings

If you selected Enable user ID/password authentication as one of the supported authentication methods, configure the following settings:

  • During PBA login, show user name of last successful logged-in user: Select this option to prepopulate the User ID field of the PBA login screen with the username of the last user who logged in to the PBA. This is convenient for the device’s primary user, but weakens security by providing unauthorized users with a valid user ID.

  • Create PBA account for first user who logs in to Windows after the policy is applied (User Capturing): Select this option to automatically capture the credentials of the first user to authenticate after the policy is applied. During the first reboot after the policy is applied, the Windows login is displayed and the PBA captures the credentials provided for the Windows login. During subsequent reboots, the PBA login is displayed and accepts the captured credentials.

    Captured credentials exist only on the device where they are captured. The credentials are not stored with this policy.

    If a device has multiple users, the PBA captures only the first user to log in after the policy is applied. You can capture additional users by using the FDE - Enable Additive User Capturing quick task for the device. When the quick task is applied to a device, it activates the user capturing mode for the next reboot. To use the quick task, select the device in Devices > Workstations, then click Quick Tasks > FDE - Enable Additive User Capturing.

    NOTE:The PBA captures the credentials of the first user to authenticate after reboot, whether the credentials are user ID/password or smart card. The PBA login screen allows the user to switch between user ID/password login and smart card login. If a device supports both types of login, you should make sure the device’s user logs in with the user ID/password and not the smart card. Otherwise, the smart card credential is captured and the user cannot log in via the user ID/password. This becomes a problem if you have not enabled smart cards as an authentication method (see Authentication Methods) because the user cannot log in.

  • Allow access for the following users: User capturing is the recommended way to create a PBA account for a device’s users. However, you can enable this option and use the PBA Users list to define PBA user accounts.

    All accounts that you add to the PBA Users list are created on all devices to which the policy is applied. Because of this, the PBA Users list is a good way to give Administrators access to each of the devices. For example, if you have a common Windows Administrator account that you use across devices, you can add the Windows Administrator as a PBA user. You can then log in to both the PBA and Windows on a device by using the Administrator account and password.

    To add a PBA user account, click Add, then fill in the following fields:

    • Replace password if user already exists in PBA: When the policy is applied, if the user you are adding matches an existing PBA user (for example, a user added by a previously applied Disk Encryption policy), the existing user account is retained, including the existing password. Select this option to replace the existing password with the one you specify in this dialog box.

    • User Name: Specify a user name for the PBA user. If single sign-on is active, this user name must be the same as the Windows user name. If single sign-on is not active, the user name does not need to match the Windows user name.

    • Domain: Specify a domain name for the PBA user. If single sign-on is active, this must be the Windows domain name or workgroup name. If single sign-on is not active, this field is optional. You can leave it blank or use it as another component to further distinguish the PBA user name.

    • Password: Specify a password for the PBA user. If single sign-on is active, this must be the Windows password. If single sign-on is not active, you can specify any password.

  • Remove existing users from PBA if not in this list: Select this option to remove any user accounts from the PBA that are not listed in the PBA Users list. Because captured users do not display in the list, they are also removed.

A.3.4 Smart Card Authentication Settings

If you selected Use smart card authentication as one of the supported authentication methods, configure the smart card settings.

  • Smart Card Reader: Select the card reader used by the devices to which this policy will be assigned.

  • PKCS#11 Provider: Select the PKCS #11 provider used by the devices to which this policy will be assigned.

  • Create PBA account for first smart card user who logs in to the ZENworks PBA after the policy is applied (User Capturing): Select this option to automatically capture the credentials of the first user to authenticate after the policy is applied. During the first reboot after the policy is applied, the PBA login screen is displayed and the user is prompted for the smart card. The PBA captures the smart card credentials (certificate and PIN). During subsequent reboots, the PBA login accepts the captured smart card credentials.

    If a device has multiple users, the PBA captures only the first user to log in after the policy is applied. You can capture additional users by using the FDE - Enable Additive User Capturing quick task for the device. When the quick task is applied to a device, it activates the user capturing mode and creates a PBA account for the next user who logs in. To use the quick task, select the device in Devices > Workstations, then click Quick Tasks > FDE - Enable Additive User Capturing.

    NOTE:The PBA captures the credentials of the first user to authenticate after reboot, whether the credentials are smart card or user ID/password. The PBA login screen allows the user to switch from smart card login to user ID/password login, but you should make sure the device’s user logs in with the smart card and not the user ID/password. Otherwise, the user ID/password credential is captured and the user cannot log in via the smart card. This becomes a problem if you have not enabled user ID/password as an authentication method (see Authentication Methods) because the user cannot log in.

  • Allow certificate content to be used for authentication: User capturing is the recommended way to create a PBA account for smart card users because it accurately captures the smart card certificate information. If you don’t enable user capturing, you must manually define certificates that can be used for authentication. If you do enable user capturing, you can still manually define additional certificates that allow access.

    To define a certificate, click Add, fill in the following fields, then click OK to add the certificate to the list:

    • Certificate Name: Specify a name to identify the certificate in this policy. This is simply a display name and does not need to match the certificate file name or any other certificate property.

    • Certificate Content: Open the certificate in a text editor, then cut and paste the contents of the certificate into this box. You must use an X.509 certificate (*.cer; base64-encoded).

  • Remove existing certificates from PBA if not in this list: Select this option to remove any certificates from the PBA that are not listed in the Certificates list. Because captured certificates do not display in the list, they are also removed.

  • Allow certificate key usages to be used for authentication: In addition to enabling user capturing or defining the certificates that can be used for authentication, you need to further identify the certificates via key usages (this setting) or labels (the Allow certificate labels to be used for authentication setting). This adds a second layer of security to the certificate authentication.

    • Key Usages: Key usages define the purposes for which a certificate’s public key can be used, such as Data Encipherment or Digital Signature. You can view a certificate’s key usages by using Microsoft Certificate Manager (available as a snap-in to Microsoft Management Console).

      To add a certificate’s key usages to the list, click Add, select the desired usages (Shift-click or Ctrl-click to select multiple usages), click the arrow to move the selected items to the Selected List box, then click OK.

      If you add more than one key usage, the PBA evaluates the key usages against the certificates in the order the usages are listed, from top to bottom. You can use Move Up and Move Down to change the order of the key usages in the list.

    • Match policy: The match policy determines how many of the defined key usages must be contained in the smart card’s certificate in order for the match to be made and authentication to take place. Select one of the following options:

      • Any: The certificate must contain at least one of the listed key usages.

      • All: The certificate must contain all of the listed key usages.

      • None: The certificate cannot contain any of the listed key usages. This option lets you use the Key Usages list as an exclusion list (blacklist) rather than an inclusion list (whitelist).

  • Allow certificate labels to be used for authentication: In addition to enabling user capturing or defining the certificates that can be used for authentication, you need to further identify the certificates via labels (this setting) or key usages (the Allow certificate key usages to be used for authentication setting). This adds a second layer of security to the certificate authentication.

    A certificate label is a property defined within the certificate. You need to use the PKCS #11 middleware provider software to view the certificate label.

    To add a certificate label to the list, click Add, specify the label (case-sensitive), then click OK.

    If you add more than one label, the PBA attempts to match the first label in the list to a certificate on the authenticating smart card. If no match occurs, the second label is tested, then the third label, and so on until a match occurs or authentication fails. You can determine the order of the labels in the list by selecting a label and clicking Move Up or Move Down to reposition it in the list.